Many security tools look for malicious documents or known blacklisted URLs to identify emails as suspicious. Impostor emails, though, rarely have these telltale features. Instead, you need the right combination of technology solutions and procedural controls to prevent your organization from falling victim to these scams.

From a technical perspective, you need a secure email gateway that supports advanced options for flagging suspicious messages based on attributes (such as direction and Subject line) and email authentication techniques. At a minimum, configure your email gateway to block messages that spoof your domain(s); this function is built into most secure email gateways. Another best practice is automatically adding the [EXTERNAL] tag or a similar designation to the subject line of emails sent from outside your organization.

From a human resources perspective, train your staff and put the effective processes in place. Beyond the »what to watch for« tips above, here are a few basic guidelines:

Slow down: Attackers often time their campaigns around our busiest periods of the day for good reason. If an accountant is quickly processing several wire transfer requests, she is less likely to pause and consider whether a particular request is suspect.

Check the Reply-to field: Although every email client is different and many make it difficult to see the so-called Reply-to field, once you click Reply, check the address. Is it a legitimate internal address, an address outside the company, or something that looks unusual? See Figure 1 for an actual spoofed email address with a very suspicious Reply-to as shown in Apple Mail.

Check the domain: Attackers are increasingly using »typosquat« domains and lookalikes to fool people savvy enough to check the Reply-to field. Anything sensitive (like W2s or money wires) is worth an extra look to make sure the domain is correct.

Watch for the use of personal accounts: In some cases, attackers may also use what appears to be a personal email account so that the Reply-to field is less suspicious. For example, [ceo name]_personal@gmail.com, would often not flag spam rules and could appear legitimate. The use of personal accounts, though, should be not only a policy violation but also a warning sign for recipients.

Follow a process: Implement appropriate procedural controls for the kinds of transactions BEC phishers are after. Put internal finance and purchasing controls in place to authenticate legitimate requests. This may include adding a secondary, out-of-band in-person or phone approval by someone else in the organization.

This last point is especially important. Adding safeguards that include out-of-band contact – personal interactions outside the back and forth of email conversations – can save organizations hundreds of thousands or even millions of dollars. Vigilant employees are the last line of defense against these threats. You should create a culture in which employees ask questions, think carefully, and understand their important role in security.

To learn more about BEC phishing and broader «impostor threat« trends, check out the following resources: